From 84f774265b36180477622b627c561fbf65db0b1e Mon Sep 17 00:00:00 2001 From: Shreyas Date: Wed, 22 Apr 2026 23:55:27 +0530 Subject: [PATCH] fix: remediate `quinn-proto` vulnerability across native packages (#6174) Co-authored-by: orbisai0security <242526317+orbisai0security@users.noreply.github.com> --- .../hoppscotch-agent/src-tauri/Cargo.lock | 4 +- .../tauri-plugin-relay/Cargo.lock | 46 ++++++- .../tauri-plugin-relay/devenv.lock | 116 +++++------------- .../tauri-plugin-relay/devenv.nix | 11 +- .../tauri-plugin-relay/devenv.yaml | 23 ++-- .../hoppscotch-desktop/src-tauri/Cargo.lock | 50 +++++++- .../hoppscotch-desktop/src-tauri/Cargo.toml | 2 +- packages/hoppscotch-kernel/package.json | 2 +- pnpm-lock.yaml | 10 +- 9 files changed, 139 insertions(+), 125 deletions(-) diff --git a/packages/hoppscotch-agent/src-tauri/Cargo.lock b/packages/hoppscotch-agent/src-tauri/Cargo.lock index 6d8aa024..466a3e7e 100644 --- a/packages/hoppscotch-agent/src-tauri/Cargo.lock +++ b/packages/hoppscotch-agent/src-tauri/Cargo.lock @@ -3950,9 +3950,9 @@ dependencies = [ [[package]] name = "quinn-proto" -version = "0.11.13" +version = "0.11.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31" +checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098" dependencies = [ "bytes", "getrandom 0.3.4", diff --git a/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/Cargo.lock b/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/Cargo.lock index 3ea7b345..5db8192a 100644 --- a/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/Cargo.lock +++ b/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/Cargo.lock @@ -1118,8 +1118,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "43a49c392881ce6d5c3b8cb70f98717b7c07aabbdff06687b9030dbfbe2725f8" dependencies = [ "cfg-if", + "js-sys", "libc", "wasi 0.13.3+wasi-0.2.2", + "wasm-bindgen", "windows-targets 0.52.6", ] @@ -1890,6 +1892,12 @@ version = "0.4.26" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "30bde2b3dc3671ae49d8e2e9f044c7c005836e7a023ee57cffa25ab82764bb9e" +[[package]] +name = "lru-slab" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154" + [[package]] name = "mac" version = "0.1.1" @@ -2708,13 +2716,14 @@ dependencies = [ [[package]] name = "quinn-proto" -version = "0.11.9" +version = "0.11.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a2fe5ef3495d7d2e377ff17b1a8ce2ee2ec2a18cde8b6ad6619d65d0701c135d" +checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098" dependencies = [ "bytes", - "getrandom 0.2.15", - "rand 0.8.5", + "getrandom 0.3.1", + "lru-slab", + "rand 0.9.4", "ring", "rustc-hash", "rustls", @@ -2774,6 +2783,16 @@ dependencies = [ "rand_core 0.6.4", ] +[[package]] +name = "rand" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea" +dependencies = [ + "rand_chacha 0.9.0", + "rand_core 0.9.5", +] + [[package]] name = "rand_chacha" version = "0.2.2" @@ -2794,6 +2813,16 @@ dependencies = [ "rand_core 0.6.4", ] +[[package]] +name = "rand_chacha" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb" +dependencies = [ + "ppv-lite86", + "rand_core 0.9.5", +] + [[package]] name = "rand_core" version = "0.5.1" @@ -2812,6 +2841,15 @@ dependencies = [ "getrandom 0.2.15", ] +[[package]] +name = "rand_core" +version = "0.9.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c" +dependencies = [ + "getrandom 0.3.1", +] + [[package]] name = "rand_hc" version = "0.2.0" diff --git a/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/devenv.lock b/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/devenv.lock index 74875226..03df3f3b 100644 --- a/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/devenv.lock +++ b/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/devenv.lock @@ -3,10 +3,11 @@ "devenv": { "locked": { "dir": "src/modules", - "lastModified": 1732585607, + "lastModified": 1776802132, + "narHash": "sha256-2yO2SGA7zVFYKe0qyJjdg7WHuMOKNwTQmigL7ydD8hI=", "owner": "cachix", "repo": "devenv", - "rev": "a520f05c40ebecaf5e17064b27e28ba8e70c49fb", + "rev": "91affc7a7b6646852a0079678eadf12ac5029d9d", "type": "github" }, "original": { @@ -24,10 +25,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1732602776, + "lastModified": 1776845169, + "narHash": "sha256-Ya6Ba5oC0+PK1TSU4Rkjpoca73mUp6FoHQV5QGnqbx0=", "owner": "nix-community", "repo": "fenix", - "rev": "e0d44b70dcd2b98dd77857b4c5c7b1dc6b1ef56d", + "rev": "f0b5be1fa2891221ba8b48784f8fded5ef15301f", "type": "github" }, "original": { @@ -36,47 +38,13 @@ "type": "github" } }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1732238832, + "lastModified": 1776329215, + "narHash": "sha256-a8BYi3mzoJ/AcJP8UldOx8emoPRLeWqALZWu4ZvjPXw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8edf06bea5bcbee082df1b7369ff973b91618b8d", + "rev": "b86751bc4085f48661017fa226dee99fab6c651b", "type": "github" }, "original": { @@ -86,58 +54,22 @@ "type": "github" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1731797254, - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "pre-commit-hooks": { - "inputs": { - "flake-compat": "flake-compat", - "gitignore": "gitignore", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1732021966, - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, "root": { "inputs": { "devenv": "devenv", "fenix": "fenix", "nixpkgs": "nixpkgs", - "pre-commit-hooks": "pre-commit-hooks" + "rust-overlay": "rust-overlay" } }, "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1732562640, + "lastModified": 1776800521, + "narHash": "sha256-f8YJfwAOsLFpIoqZuX3yF69UvMLrkx7iVzMH1pJU7cM=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "157c7d01149e9be7179c5724b89d8d073e923bd8", + "rev": "8954b66d43225e62c92e8bbcc8500191b5cceb1e", "type": "github" }, "original": { @@ -146,8 +78,28 @@ "repo": "rust-analyzer", "type": "github" } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1776827647, + "narHash": "sha256-sYixYhp5V8jCajO8TRorE4fzs7IkL4MZdfLTKgkPQBk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "40e6ccc06e1245a4837cbbd6bdda64e21cc67379", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } } }, "root": "root", "version": 7 -} +} \ No newline at end of file diff --git a/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/devenv.nix b/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/devenv.nix index 1e49dd78..c6f1f7a1 100644 --- a/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/devenv.nix +++ b/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/devenv.nix @@ -7,12 +7,7 @@ let else pkgs; darwinPackages = with pkgs; [ - darwin.apple_sdk.frameworks.Security - darwin.apple_sdk.frameworks.CoreServices - darwin.apple_sdk.frameworks.CoreFoundation - darwin.apple_sdk.frameworks.Foundation - darwin.apple_sdk.frameworks.AppKit - darwin.apple_sdk.frameworks.WebKit + apple-sdk ]; linuxPackages = with pkgs; [ @@ -27,8 +22,8 @@ in { packages = with pkgs; [ git nodejs_22 - nodePackages_latest.typescript-language-server - nodePackages_latest.vue-language-server + typescript-language-server + vue-language-server cargo-edit ] ++ lib.optionals pkgs.stdenv.isDarwin darwinPackages ++ lib.optionals pkgs.stdenv.isLinux linuxPackages; diff --git a/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/devenv.yaml b/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/devenv.yaml index 9ee9ba34..d0169201 100644 --- a/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/devenv.yaml +++ b/packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/devenv.yaml @@ -1,23 +1,14 @@ -# yaml-language-server: $schema=https://devenv.sh/devenv.schema.json inputs: - # For NodeJS-22 and above - nixpkgs: - url: github:NixOS/nixpkgs/nixpkgs-unstable - # nixpkgs: - # url: github:cachix/devenv-nixpkgs/rolling fenix: url: github:nix-community/fenix inputs: nixpkgs: follows: nixpkgs - -# If you're using non-OSS software, you can set allowUnfree to true. + nixpkgs: + url: github:NixOS/nixpkgs/nixpkgs-unstable + rust-overlay: + url: github:oxalica/rust-overlay + inputs: + nixpkgs: + follows: nixpkgs allowUnfree: true - -# If you're willing to use a package that's vulnerable -# permittedInsecurePackages: -# - "openssl-1.1.1w" - -# If you have more than one devenv you can merge them -#imports: -# - ./backend diff --git a/packages/hoppscotch-desktop/src-tauri/Cargo.lock b/packages/hoppscotch-desktop/src-tauri/Cargo.lock index e69d720a..7ff45914 100644 --- a/packages/hoppscotch-desktop/src-tauri/Cargo.lock +++ b/packages/hoppscotch-desktop/src-tauri/Cargo.lock @@ -2068,9 +2068,11 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "26145e563e54f2cadc477553f1ec5ee650b00862f0a58bcd12cbdc5f0ea2d2f4" dependencies = [ "cfg-if", + "js-sys", "libc", "r-efi", "wasi 0.14.2+wasi-0.2.4", + "wasm-bindgen", ] [[package]] @@ -2968,7 +2970,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34" dependencies = [ "cfg-if", - "windows-targets 0.52.6", + "windows-targets 0.48.5", ] [[package]] @@ -3049,6 +3051,12 @@ dependencies = [ "hashbrown 0.15.2", ] +[[package]] +name = "lru-slab" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154" + [[package]] name = "lzma-rs" version = "0.3.0" @@ -4183,13 +4191,14 @@ dependencies = [ [[package]] name = "quinn-proto" -version = "0.11.9" +version = "0.11.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a2fe5ef3495d7d2e377ff17b1a8ce2ee2ec2a18cde8b6ad6619d65d0701c135d" +checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098" dependencies = [ "bytes", - "getrandom 0.2.15", - "rand 0.8.5", + "getrandom 0.3.3", + "lru-slab", + "rand 0.9.4", "ring", "rustc-hash", "rustls", @@ -4255,6 +4264,16 @@ dependencies = [ "rand_core 0.6.4", ] +[[package]] +name = "rand" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea" +dependencies = [ + "rand_chacha 0.9.0", + "rand_core 0.9.5", +] + [[package]] name = "rand_chacha" version = "0.2.2" @@ -4275,6 +4294,16 @@ dependencies = [ "rand_core 0.6.4", ] +[[package]] +name = "rand_chacha" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb" +dependencies = [ + "ppv-lite86", + "rand_core 0.9.5", +] + [[package]] name = "rand_core" version = "0.5.1" @@ -4293,6 +4322,15 @@ dependencies = [ "getrandom 0.2.15", ] +[[package]] +name = "rand_core" +version = "0.9.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c" +dependencies = [ + "getrandom 0.3.3", +] + [[package]] name = "rand_hc" version = "0.2.0" @@ -5683,7 +5721,7 @@ dependencies = [ [[package]] name = "tauri-plugin-relay" version = "0.1.0" -source = "git+https://github.com/CuriousCorrelation/tauri-plugin-relay?rev=7cf09c1ad31e228758738c2f4e1c8fe9cc141291#7cf09c1ad31e228758738c2f4e1c8fe9cc141291" +source = "git+https://github.com/CuriousCorrelation/tauri-plugin-relay?rev=42f449e1c5657679fecf0374b0ce5047ad03c069#42f449e1c5657679fecf0374b0ce5047ad03c069" dependencies = [ "relay", "serde", diff --git a/packages/hoppscotch-desktop/src-tauri/Cargo.toml b/packages/hoppscotch-desktop/src-tauri/Cargo.toml index 7d964fcf..53fb4f25 100644 --- a/packages/hoppscotch-desktop/src-tauri/Cargo.toml +++ b/packages/hoppscotch-desktop/src-tauri/Cargo.toml @@ -30,7 +30,7 @@ tauri-plugin-dialog = "2.2.0" tauri-plugin-fs = "2.2.0" tauri-plugin-deep-link = "2.2.0" tauri-plugin-appload = { git = "https://github.com/CuriousCorrelation/tauri-plugin-appload", rev = "0d58d53be2bc75aeb5916bd0d77794fd209426af" } -tauri-plugin-relay = { git = "https://github.com/CuriousCorrelation/tauri-plugin-relay", rev = "7cf09c1ad31e228758738c2f4e1c8fe9cc141291" } +tauri-plugin-relay = { git = "https://github.com/CuriousCorrelation/tauri-plugin-relay", rev = "42f449e1c5657679fecf0374b0ce5047ad03c069" } axum = "0.8.1" tower-http = { version = "0.6.2", features = ["cors"] } random-port = "0.1.1" diff --git a/packages/hoppscotch-kernel/package.json b/packages/hoppscotch-kernel/package.json index fde88e18..52dce25b 100644 --- a/packages/hoppscotch-kernel/package.json +++ b/packages/hoppscotch-kernel/package.json @@ -58,7 +58,7 @@ } }, "dependencies": { - "@hoppscotch/plugin-relay": "github:CuriousCorrelation/tauri-plugin-relay#7cf09c1ad31e228758738c2f4e1c8fe9cc141291", + "@hoppscotch/plugin-relay": "github:CuriousCorrelation/tauri-plugin-relay#42f449e1c5657679fecf0374b0ce5047ad03c069", "@tauri-apps/plugin-dialog": "2.0.1", "@tauri-apps/plugin-fs": "2.0.2", "@tauri-apps/plugin-shell": "2.3.3", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index c3519f0e..895ff7cc 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -1324,8 +1324,8 @@ importers: packages/hoppscotch-kernel: dependencies: '@hoppscotch/plugin-relay': - specifier: github:CuriousCorrelation/tauri-plugin-relay#7cf09c1ad31e228758738c2f4e1c8fe9cc141291 - version: '@CuriousCorrelation/plugin-relay@https://codeload.github.com/CuriousCorrelation/tauri-plugin-relay/tar.gz/7cf09c1ad31e228758738c2f4e1c8fe9cc141291' + specifier: github:CuriousCorrelation/tauri-plugin-relay#42f449e1c5657679fecf0374b0ce5047ad03c069 + version: '@CuriousCorrelation/plugin-relay@https://codeload.github.com/CuriousCorrelation/tauri-plugin-relay/tar.gz/42f449e1c5657679fecf0374b0ce5047ad03c069' '@tauri-apps/api': specifier: 2.1.1 version: 2.1.1 @@ -1785,8 +1785,8 @@ packages: resolution: {tarball: https://codeload.github.com/CuriousCorrelation/tauri-plugin-appload/tar.gz/0d58d53be2bc75aeb5916bd0d77794fd209426af} version: 0.1.0 - '@CuriousCorrelation/plugin-relay@https://codeload.github.com/CuriousCorrelation/tauri-plugin-relay/tar.gz/7cf09c1ad31e228758738c2f4e1c8fe9cc141291': - resolution: {tarball: https://codeload.github.com/CuriousCorrelation/tauri-plugin-relay/tar.gz/7cf09c1ad31e228758738c2f4e1c8fe9cc141291} + '@CuriousCorrelation/plugin-relay@https://codeload.github.com/CuriousCorrelation/tauri-plugin-relay/tar.gz/42f449e1c5657679fecf0374b0ce5047ad03c069': + resolution: {tarball: https://codeload.github.com/CuriousCorrelation/tauri-plugin-relay/tar.gz/42f449e1c5657679fecf0374b0ce5047ad03c069} version: 0.1.0 '@acemir/cssom@0.9.31': @@ -12775,7 +12775,7 @@ snapshots: dependencies: '@tauri-apps/api': 2.9.1 - '@CuriousCorrelation/plugin-relay@https://codeload.github.com/CuriousCorrelation/tauri-plugin-relay/tar.gz/7cf09c1ad31e228758738c2f4e1c8fe9cc141291': + '@CuriousCorrelation/plugin-relay@https://codeload.github.com/CuriousCorrelation/tauri-plugin-relay/tar.gz/42f449e1c5657679fecf0374b0ce5047ad03c069': dependencies: '@tauri-apps/api': 2.1.1